rpm -Va BAD, key ID
Jan Rękorajski
baggins at pld-linux.org
Sun Jan 25 15:26:05 CET 2015
On Wed, 14 Jan 2015, Jeffrey Johnson wrote:
>
> On Jan 13, 2015, at 3:01 PM, Elan Ruusamäe wrote:
>
> > On 13.01.2015 19:43, Jeffrey Johnson wrote:
> >> On Jan 13, 2015, at 11:30 AM, Elan Ruusamäe wrote:
> >>
> >>> rpm -Va emits such messages:
> >>>
> >>> error: rpmdb (h#123): Header V4 DSA signature: BAD, key ID e4f1bc2d
> >>>
> >> What package is header #123? (try rpm -Vavv which should display package names near h#123).
> > that #123 is pretty much every package in the system.
> > h#xxx starts from #2 and ends with #148. 149 packages in system, 1 fake gpg package.
> >
> > rpm -Vavv of 5.4.14 and 5.4.14 can be obtained from here:
> >
> > http://carme.pld-linux.org/~glen/rpm-va.tar.xz (75K)
> >>> that's from repeated scratch installs, the key ID stays always the same (e4f1bc2d)
> >>>
> >>>
> >>> i've traced that something between rpm-5.4.14-5.x86_64 and rpm-5.4.15-6.x86_64 and have caused it
> >>>
> >> rpm-5.4.14 may not attempt to verify header signatures while verifying, I forget when enabled.
> >>
> >> Removing and re-importing 0xe4f1bc2d is the 1st thing to try.
> >>
> >> You can easily patch out the attempt to verify header signatures in 5.4.15.
> >>
> >> Meanwhile more info is needed if you want a fix, including what public key (0xe4f1bc2d) is being used,
> >> and whether the public key is imported or included in packages.
> >>
> > gpg-pubkey-e4f1bc2d-47b351f0 is key used to sign pld th packages:
> >
> > $ rpm -qi gpg-pubkey-e4f1bc2d-47b351f0
> >
> > Name : gpg-pubkey Relocations: (not relocatable)
> > Version : e4f1bc2d Vendor: (none)
> > Release : 47b351f0 Build Date: Fri Oct 10 01:19:35 2014
> > Install Date: Fri Oct 10 01:19:35 2014 Build Host: localhost
> > Group : Public Keys Source RPM: (none)
> > Size : 0 License: pubkey
> > Signature : (none)
> > Summary : gpg(RSApub (PLD Linux Distribution 3.0 (Th)) <th-admin at pld-linux.org>)
> ---------------------------^^^^ Presumably this is an RSA public key.
>
> > Architecture: (none)
> > Description :
> > -----BEGIN PGP PUBLIC KEY BLOCK-----
> > Version: RPM 5.4.10 (BeeCrypt)
> -------------- ^^^^^^^^^^ exported by rpm-5.4.10
[...]
> >
>
> Try resigning a package with the same key and importing using rpm-5.4.15. Does that "fix"?
No, packages signed with 5.4.15 also fail to verify with it.
The following command is used to sign packages:
rpm --resign --define '_signature gpg' --define '_gpg_name e4f1bc2d' files
So, that's not a problem of our setup, from my perspective it looks like
5.4.15 has broken RSA sig verification, can you look into it?
> There were many fixes for RSA signatures in rpm-5.4.15.
>
> These were fixes for known problems repeatedly tested with all five crypto implementations, not regressions.
>
> The testing does not exclude a regression, but there are known incompatibilities between
> rpm-5.4.15 and earlier versions of RPM with RSA signatures.
Can you elaborate what kind of incompatibilities we can expect?
--
Jan Rękorajski | PLD/Linux
SysAdm | baggins<at>pld-linux.org | http://www.pld-linux.org/
More information about the pld-devel-en
mailing list